Cisco NAC Appliance 3300 Series (Integrated Hardware/Software)

Warning Cisco NAC Appliance Release 4.5 only supports and can only be installed on the following Cisco NAC Appliance platforms: Cisco CCA-3140, Cisco NAC-3310, Cisco NAC-3350, Cisco NAC-3390, Cisco NAC Network Module (NME-NAC-K9). You cannot upgrade to or install release 4.5 on any other platform.

With the Cisco NAC Appliance 3300 Series, Cisco introduces three new integrated hardware platforms that are pre-installed with the Cisco NAC Appliance software (release 4.0.3.3 or later). The Cisco NAC Appliance 3300 Series is intended to facilitate ordering and installation of the Cisco NAC Appliance on your network.

Note that NAC 3300 Series platforms are available only as fully integrated appliances containing both hardware and software, and cannot be ordered as hardware-only platforms.

Note You must use identical appliances (e.g. NAC-3350 and NAC-3350) in order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).

1You can upgrade NAC 3300 series appliances to the releases listed in the "Cisco NAC Appliance Versions Supported" column only. Release 4.0(5) is the minimum 4.0(x) version and release 4.1.2.1 is the minimum 4.1(x) version supported on NAC 3300 appliances. Releases 4.1(0)/4.1.0.1/4.1.0.2 do not support and cannot be installed on NAC 3300 appliances. If introducing a NAC 3300 appliance to your network, you must upgrade all existing CAM/CAS machines to the same release (e.g. 4.1(8)) for compatibility. Other versions of the Cisco NAC Appliance software cannot be installed on a NAC 3300 appliance and are not supported. Refer to the applicable Release Notes for details.

6For CD software installation of Release 4.1(x)/4.0(x) only on the NAC-3310 only (DL140 G3 based appliance), you must type an installation directive at the "boot:" prompt—either DL140 if directly connected, or serial_DL140 if serially connected to the appliance. See Required Installation Directives for details. Release 4.5 and later no longer require these installation directives for the NAC-3310 (see the Release Notes for Cisco NAC Appliance, Release 4.5 for details.)

Cisco NAC Network Module for Integrated Services Routers

Warning Cisco NAC Appliance Release 4.5 only supports and can only be installed on the following Cisco NAC Appliance platforms: Cisco CCA-3140, Cisco NAC-3310, Cisco NAC-3350, Cisco NAC-3390, Cisco NAC Network Module (NME-NAC-K9). You cannot upgrade to or install release 4.5 on any other platform.

The Cisco NAC Network Module (NME-NAC-K9) offers the Clean Access Server (CAS) functionality on the next generation service module for the Cisco 2800 and 3800 Series Integrated Services Routers. The Cisco NAC network module is pre-installed with Cisco NAC Appliance software (release 4.1(2) or later). Once initial configuration is complete, the Cisco NAC network module is added to the Clean Access Manager's managed domain like any other CAS and is managed through the CAM's web console (GUI) interface.

1Release 4.1.2.1 is the minimum mandatory 4.1(x) version for Cisco NAC 3300 Series Appliances and the Cisco NAC network module. Cisco NAC Appliance software versions earlier than 4.1(2) are not supported and cannot be installed on the Cisco NAC network module. If introducing the Cisco NAC network module to your network, you must all upgrade all existing CAM/CAS machines to the same release for compatibility (e.g. 4.5)

1Server configurations listed here have been tested with the Cisco Clean Access software and are supported platforms. If a server configuration is not listed, it may not have been tested with the Cisco Clean Access and is not supported. If problems are encountered with installation of CCA software on a particular server model, the customer should contact TAC and provide exact configuration information.

2The "+" designation in the Min. CCA Version column indicates the server configuration is supported for the release branch (e.g. 4.1(x)) or starting from the CCA version specified and for subsequent versions (e.g. 4.0(6) and later).

Non-Orderable Supported Server Configurations

Warning Cisco NAC Appliance Release 4.5 only supports and can only be installed on the following Cisco NAC Appliance platforms: Cisco CCA-3140, Cisco NAC-3310, Cisco NAC-3350, Cisco NAC-3390, Cisco NAC Network Module (NME-NAC-K9). You cannot upgrade to or install release 4.5 on any other platform.

Table 4 lists the legacy hardware configurations that can no longer be ordered from server vendors, but will still be supported for legacy customers. The Clean Access Manager (CAM) and Clean Access Server (CAS) software will run on the server configurations listed starting from the minimum CCA version specified.

1When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Disable BIOS Redirection for Serial HA (Failover) Connections for details.

2Server configurations listed here have been tested with the Cisco Clean Access software and are supported platforms. If a server configuration is not listed, it may not have been tested with the Cisco Clean Access and is not supported. If problems are encountered with installation of CCA software on a particular server model, the customer should contact TAC and provide exact configuration information.

3The "+" designation in the Min. CCA Version column indicates the server configuration is supported starting from the CCA version listed and for subsequent versions.

If your server machine is running CCA release 3.6(2) or below and uses other BCM 57xx NIC cards (i.e. other than 5702/5703/5704), you will need to either apply the CCA 3.6.2.1 patch, or upgrade your system to CCA 3.6(3) or above.

Required Installation Directives

Note Release 4.5 and later do not require installation directives for the NAC-3310.

For CCA release 4.1(x) and earlier only, you are required to type either the DL140 or serial_DL140 installation directive at the "boot:" prompt to install new system software via CD-ROM on the following hardware:

•HP ProLiant DL140 G3 servers

•NAC-3310 appliance (based on DL140 G3)

•Certain servers with LSI Logic SCSI drivers (e.g. Dell 1850)

For these server models, type either:

•DL140—if you are directly connected (monitor, keyboard, and mouse) to the machine

•serial_DL140—if you are installing the software via serial console connection

For example:

Cisco Clean Access Installer (C) 2007 Cisco Systems, Inc.

Welcome to the Cisco Clean Access Installer!

- To install a Cisco Clean Access device, press the <ENTER> key.

- To install a Cisco Clean Access device over a serial console,

enter serial at the boot prompt and press the <ENTER> key.

boot: DL140

Disable Serial Port Settings

If installing CCA version 4.1(x)/4.0(x)/3.6(x) software on Dell PowerEdge 750 or 1850, perform the following steps:

To disable serial port settings on a Dell 750:

1. Power up the box.

2. Press F2 to enter Setup (BIOS) mode.

3. Go to "Console Redirection."

4. Make sure "Console Redirect" is set to "Off", and "Redirection After Boot" is set to "Disabled."

5. Select "Save Changes and Exit."

6. Reboot the machine with the CCA software installation CD. The software should boot up correctly.

To disable serial port settings on a Dell 1850:

1. Power up the box.

2. Enter BIOS mode.

3. Go to "Integrated Devices" and disable "Serial Redirect".

4. Disable "Redirect after Boot".

5. Select "Save Changes".

6. Reboot the machine. The software should boot up correctly.

Disable Onboard NICs

If running CCA version 3.5(x)/3.4(x) on Cisco MCS-7825-I1-ECS1, or IBM eServer xSeries 306 servers with Adaptec 79xx SCSI controllers, disable the onboard NICs and use the following Intel/Broadcom PCI NICs instead:

•PWLA8492MT = Intel PRO/1000 MT Dual Port Server Adapter (copper)

•PWLA8492MF = Intel PRO/1000 MF (dual SX fiber LC connectors)

To disable onboard NICs for each CAM/CAS installation server:

1. Power up the box.

2. Press F1 to enter BIOS mode.

3. Disable on-board Ethernet Controllers 1 and 2.

4. Save and exit.

Disable SATA RAID

If installing CCA version 4.1(x)/4.0(x)/3.6(x)/3.5(x)/3.4(x) on the Cisco MCS-7825-I1-ECS1 (IBM x306-based platform), perform the following steps to disable SATA RAID.

•Each controller that is not supported via the Cisco Clean Access CD-ROM needs to be downloaded from Cisco Secure Software and put on a driver disk so that the installation program can access the device

•An anaconda (installation program) patch must also be applied.

If installing CCA software on a server that requires custom installation, follow the instructions below:

Step 4 Download the appropriate driver.img file, depending on the server on which you are installing:

•For HP DL360/380, you will need the SmartArray 6i Driver disk.

•For IBM 306, you will need the Adaptec SCSI 79xx Driver disk.

•For Dell 1750/1850, you will need the LSI SCSI Driver disk.

Step 5 Download the update.img file (General Update). You will need to create an update.img disk to apply the anaconda (installation program) patch.

Step 6 Save the Driver and Update files in the same C:\ directory as the rawrite file.

Step 7 Open a command tool and type:

C:\rawrite

Step 8 Enter the full name of the source file(s) and the destination onto a floppy disk. You might need to change the filenames to something shorter, i.e. less than 10 characters. Do this for each image. Typically, use the names driver.img and update.img.

Custom CD Install

To perform a custom installation for each Clean Access Manager and Clean Access Server machine:

Step 1 Insert the distribution CD-ROM that contains the CAM or CAS .iso file into the CD drive of the installation server machine.

Step 2 Connect to the machine directly with a keyboard and monitor, or by terminal emulation console over a serial connection.

Step 5 The program will prompt you for the driver diskette, then the update diskette. The installation then proceeds normally.

Caution Make sure to use the appropriate driver diskette for the platform.

Troubleshooting Network Card Driver Support Issues

Note The instructions in this section apply only to customer-supplied hardware platforms running Release 4.1(x) or earlier. This section does not apply to Release 4.5 which only supports the CCA-3140, NAC-3310, NAC-3350, NAC-3390, and NME-NAC Cisco NAC Appliance hardware platforms.

Typically, the Cisco NAC Appliance (Cisco Clean Access) installation program automatically detects the network cards on the target machine and loads the appropriate drivers. In some cases, such as when NIC cards are changed on the server hardware, you may need to manually load drivers if they are not automatically loaded. The instructions below describe how to do this. Note that you must follow the instructions specific to the version of Cisco Clean Access version being run:

Step 5 For Cisco NAC Appliance 4.0(x)/3.6(x), you can temporarily change settings on Broadcom tg3 NIC cards (eth0 and eth1) in order to test which settings work for your drivers. You can use the following sequence of commands to first turn auto-negotiation off, then set the speed and duplex:

# ethtool -s eth0 autoneg off

# ethtool -s eth0 speed 1000

# ethtool -s eth0 duplex full

Note that these settings are lost after a reboot. If you want manually configured settings to be preserved during every reboot, add the above lines that work for your system into the file /etc/rc.local.

Step 1 Connect to the server machine (Clean Access Manager or Clean Access Server) by serial cable or KVM and console into the box.

Step 2 Change to the driver directory as follows (where <driver_name> is the NIC card driver, such as bcm5700 or e1000):

cd /lib/modules/kernel-2.4.9-perfigo/drivers/addon/<driver_name>

Step 3 Type the following command: insmod ./<driver>.o

•For example, for Broadcom NIC cards, type: insmod ./bcm5700.o

•For Intel e1000-based NIC cards type: insmod ./e1000.o

Manually Load the Driver

If the steps above result in no errors, perform the next steps:

Step 4 Edit the file /etc/modules.conf with vi or another editor. Add the following two lines:

alias eth0 <driver>

alias eth1 <driver>

For example, for Broadcom 5700-based NICs, insert:

alias eth0 bcm5700

alias eth1 bcm5700

Or, for Intel e1000-based NICs, insert the following lines instead:

alias eth0 e1000

alias eth1 e1000

Hardcode Speed/Duplex for the Driver

Step 5 If the network card's operating parameters, such as speed and duplex, need to be hardcoded in the configuration file, add the appropriate option. For example, to hardcode Intel e1000 gigabit cards (eth0 and eth1) for 100Mbps full duplex, add the following line to the file /etc/modules.conf:

options e1000 Speed=100,100 Duplex=2,2

Table 8 lists the NIC driver options available for CCA version 3.5(x).

CAS High Availability (HA) Requirements

Note You must use identical appliances (e.g. NAC-3350 and NAC-3350) in order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).

Cisco recommends the use of a dedicated connection for failover heartbeat on Clean Access Server high-availability pairs. You can use:

•A serial null-modem cable, or

•UDP heartbeat over eth0 and a serial null-modem cable

Note When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Disable BIOS Redirection for Serial HA (Failover) Connections for details.

Note For serial cable connection for high availability (for either HA-CAM or HA-CAS pairs), the serial cable must be a "null modem" cable. For details, refer to http://www.nullmodem.com/NullModem.htm.

Japanese Windows XP Professional x64,Japanese Windows Vista Home Basic x64, Japanese Windows Vista Home Premium x64, Japanese Windows Vista Business x64, Japanese Windows Vista Ultimate x64

Note Only authentication is supported 64-bit Windows systems. Agent does not perform posture assessment or Nessus scanning. To support x64 Windows, the CAM/CAS/Agent must all be running same release (e.g. 4.1.2.1 or 4.0.6.1)

8Mac OS 10.5 and 1.0.5.1 users can only authenticate to the 4.1(3) CAM/CAS. Mac OS 10.5/10.5.1 is not supported on earlier Cisco NAC Appliance versions.

9The Clean Access Agent only fully supports authentication/posture assessment/remediation on 32-bit operating systems. Any client OS not listed is not supported, even if the Agent can be installed on the client (e.g. Embedded XP is not supported).

10The Agent picks the correct language template based on the local computer Locale (under Control Panel > Regional and Language Options). Cisco recommends using the localized Agent in the localized version of Windows (e.g. French Agent in French Windows). Agent language template support only controls what the viewer sees after the Agent is installed; it does not include support for different client operating systems for the Agent Installer or for AV/AS products.

11For Russian localized template, the Agent must run on Russian Windows to be able display all characters correctly.

12For releases 4.0(x)/3.6(x)/3.5(x) and below, there is no localization provided for non-English languages (for example, Clean Access Agent installs/authenticates on German Windows but displays all information and instructions in English).

Linux Operating System Client Support

For Web Login on Linux operating system clients, the Java Applet web client used for L3 MAC address/OS detection and for OOB IP refresh/renew after posture assessment is supported for the Cisco NAC Appliance release, web browser version and Java version listed in Table 10.

2Java version 1.4.2 is the minimum version required for Java Applet support.

3To support IP refresh/renew, "#Defaults requiretty" must be commented out in the /etc/sudoers file on the Linux client. If not commented, the applet used for IP refresh/renew fails with error "sudo: sorry, you must have a tty to run sudo" if the script is called by the applet. PortBounce occurs on Fedora 8/9/10 clients during the IP Refresh after authentication.